Best way to set the network infrastructure - Windows Server (AD, DHCP, DNS) + Router + VPN + Load Balance

Question

First of all, I'd like to say I really like working with networks and managing computers, but I do it as a hobby. I'm not really a professional and only do it for my own things as I love learning about IT. Btw, English is not my first language, so expect some weird expressions along the way.

So, I'm managing an office with approximately 20 computers connected to a server with AD. The server has two network cards, one NIC connected to the internet and the other to the LAN. This server is responsible for DHCP, AD, File sharing and I have configured a point-to-site VPN.

With that configuration, everything was working quite well so far. However, we recently had a problem with our internet provider, wich had a broken fiber and we let us without internet for 2 days. So, we decided to hire a new ISP to have load balance and failover. So we acquired a tplink er605 router to do the job. The detail is that the office is opening a branch and it would be very interesting to create a site-to-site VPN to use the same server with AD and access to files.

My question is regarding the best way to structure the network and server with this new router. As the router has VPN function, I could use it to make a site-to-site vpn with the branch. However, point-to-site vpns would be better handled by the windows server, as I don't need to create new user accounts directly on the router (just using AD accounts).

So, I have two options:

1. Currently used option: Provider 1 + Provider 2 -> Router Er605 (192.168.0.1) -> (Nic1 192.168.0.2) Server (Nic2 192.168.100.0) -> Switch -> Network Computers, Printers, etc.

2. Provider 1 + Provider 2 -> Router Er605 (192.168.100.1) -> Switch -> Server (Nic 1 192.168.100.2). This way, connecting the Router to the switch and setting everything to the same subnet.

I have several doubts about how this would work. Because in option 1, the router works only for the load balance, and all other functions would be with the server (but I lose the possibility of doing the site-to-site VPN through the router, since it is external to the server's firewall and on a separate subnet).

In option 2 I would have more freedom to configure the router, without depending so much on the server for dhcp and other network features. However, I don't know if this way I could create a site-to-site VPN on the router and a point-to-site VPN on the server, since now the server is after the router in the same IP range (and I would like to keep the vpns from clients using AD accounts).

Any tip is welcome, I would just like to understand a little better about how the network would work by setting it in different ways and how it could affect the VPN, Server and AD.

Answer 1

As you've said you're a hobbyist let me lay down some rather emphatic truths that I think most people would agree with.

Your current setup

NEVER assign a public IP to a Windows Server without a reason, these could be for a webhost, or because its required for remote access as with Azure. If you do NEED to do this then you need to do it with extreme caution.

If a server needs an external connection, for instance to host a website, then the easiest way to do it is to forward the required ports.

Apologies if this doesn't translate well, I don't mean to be rude, but this is a massive no no

How to do things

In answer to your networking connection the above should give you a good idea what's best but my recommendation would be:

• Server on private IP behind firewall/router
• Site-to-Site tunnel on the firewalls/routers

That's pretty much it, job done! The VPN may be a bit tricky to set up but find and follow a guide and you should be fine.